Net neutered: When ISPs like Comcast crash the cloud – ZDNet

While doing some research on public cloud-based backup to blob storage solutions, I decided to tinker with the possibility of using Azure not just as my backup target but as a replacement for my main file server sitting under my desk.

I had already gone through the process of eliminating all my rack mount systems from my house that were taking up space and consuming too much electricity. These were being used for test purposes and it was easy to replace them with IaaS VMs in Azure.

Using public cloud as your file server, though, that’s a bit different. It’s actually quite easy to do as a small business; the Azure file service makes it easy to turn on SMB/CIFS file sharing with any storage account.

It doesn’t consume compute, just storage costs, but it acts just like any other file server or NAS device on-premises.

And if your business uses business-class broadband, such as an MPLS connection to a Tier-1 telco, it works great. But if you are a SOHO-based business and are using consumer-class broadband, not so much.

It’s got nothing to do with Azure’s technology — that part works great. The problem has to do with what providers like Comcast are doing with access controls on their networks.

When I was setting up my Azure file services, I discovered that I could not map a drive from Windows to the file storage. At first, I thought I had something in my firewall set wrong.

Nope. Even with my PC set to ANY/ANY exclusions coming from that MAC address, I still couldn’t connect to it.

After some trial and error and some basic geek forensics, I determined that one of the ports that the SMB protocol uses — TCP 445 — was being blocked upstream. So I called my broadband company, Blue Stream, which maintains the local cable infrastructure in the town where I live in South Florida.

Nope, no ports being blocked there.

But do you know where lots of ports are being blocked? Comcast, which is Blue Stream’s upstream bandwidth provider.

Comcast presumably blocks port 445 because it is used by the WannaCry malware to spread between systems. However, it’s also the port Microsoft Active Directory uses.

So, if you use Comcast, but want to develop and test file services on Azure, you’re going to have to establish a VPN connection, which kind of defeats the purpose of being able to access your file services from any mobile device.

Comcast is not the only provider that blocks certain ports. AT&T does, as do others.

I understand ISPs wanting to be proactive about security, but blocking ports that essentially disable functionality on major cloud services is unacceptable.

I feel… Comcastrated.

Now, Microsoft could fix this problem by making protocol changes to SMB — by having it communicate over alternate ports and being able to configure that in Azure. But that means making changes to the Windows OS communications protocol stack and pushing that out to tens of millions of systems.

It also would mean changes in the SMB/CIFS standard as well, and that would need to be rolled out to SAMBA and anything else that needs that protocol including all sorts of NAS devices that run on Linux and other derivative OSes.

SMB is just one protocol. There are others that are needed for so many other apps. We can’t change or replace all of them every time a new piece of malware comes out.

What we need is a better solution for monitoring network traffic and acting on threats at the residential level rather than blocking ports wholesale.

Ideally, it would be great to be able to provide a deep packet inspection device to every home, but this type of technology is typically deployed at enterprises and it starts at around $1,000 an appliance and can cost upward of thousands of dollars a year for the subscription, depending on the vendor.

First, there’s no reason why the industry cannot develop a packet inspection and intrusion detection/web application gateway using open source components and then deploy it in a multi-tenant fashion at the provider at the edge of the network, with some sort of an app that the home broadband customer can use to secure their traffic in an easy, wizard-like, self-service fashion.

Log threats going in and out, get notifications on strange activity, all that good stuff.

As more and more of our services go cloud-based, particularly with the proliferation of Internet of Things devices that need to have constant connectivity, we are going to need to find a better way to deal with the issues of proactive monitoring and acting on internet traffic coming from the home, versus ham-fisted and draconian methods such as port blocking that diminish the value of the broadband connectivity in the first place.

This isn’t just an issue of net neutrality; it’s the only way we are going to be able to seamlessly move to the cloud, long term. The price of entry should not have to be a direct Tier-1 leased line, with an enterprise class service-level agreement and a private virtual circuit to the cloud provider.

Cloud services should be accessible to everyone. It is possible to be both safe and open, but it will require a re-thinking of how providers allow access to those pipes.